My name is Eric Van Albert.
I'm David Lawrence.
And unfortunately Rob couldn't be with us today, but he contributed a lot to this project.
We're just two MIT students.
We don't really have any more credentials than that.
Playing with locks is a hobby for us, as I imagine it is with a lot of you guys.
If you want to contact us, locks, L-O-C-K-S, at MIT.edu.
And hope you enjoy this talk.
We're going to talk about the Schlage Primus lock.
How many of you guys were just here for Mark's talk?
Mark and Toby.
Fantastic.
So the first part I'm going to talk about is how pin tumbler locks work.
So I guess we can do more of a quiz than an informational session here.
So when you have a pin tumbler lock, you have a plug and you have the body.
And you have a bunch of pin stacks constraining them together.
Now if you insert the correct key, you raise all of the pin stacks up to the interface
between the plug and the body, which allows the plug to turn.
Now what's that interface called?
SureFly.
Wonderful.
And so we have a video here.
You want to do this?
Sure.
This is a cutaway lock so you can see the pins inside of it.
You see that?
Now as you insert the key, you can watch the pins move up and down.
When it's not inserted all the way, you can see there's a split that's above the shear
line and so the bottom pin is blocking the plug from turning.
If you insert it all the way, then all of the splits line up and you can turn the plug.
Everybody see that?
Great.
Now these locks are vulnerable to a lot of different things.
One thing as Mark and Toby talked about is key duplication.
You can take these keys to any old hardware store and they will copy them for you.
Now another attack that you can perform on these locks is manipulation attacks.
This includes picking and impressioning.
And inserting long wires in the keyway to get the gel piece.
Now I'll go over those quickly since Mark and Toby didn't talk about them a lot.
Picking is where you exploit the mechanical defects in the lock.
By applying torque to the plug, you can cause all the pin stacks to bind.
Now if in a perfect lock, they would all bind at the same time and at that point you'd
be screwed.
But because the holes are slightly misaligned, when you put torque on the plug, only one
of them is going to bind.
And if you use a pick to then raise that pin up to the shear line, then it will set.
The plug will turn a very small amount and it will trap the top pin up and the bottom
pin down and then you don't have to worry about it anymore.
And you can repeat that for every pin until the lock is open.
Impressioning I'm not going to go into great detail on that because I'm not very good at
it.
It involves taking a blank key, wiggling it up and down a lot and using the torque
and binding action to produce marks on the key.
And then you can file down those positions until you end up with a working key.
So pin tumbler locks is a necessary background for the Schlage Primus because if you look,
on the top of the Schlage Primus key.
There is a standard pin tumbler top bidding.
The Schlage Primus just adds a second independent locking mechanism, which is this little squiggly
line on the bottom of the key.
And we're going to call that the side bidding.
And now you can ‑‑ an important part about the Primus key is that you can completely
separate these two things.
In fact, we've cut a couple keys in half so that we can play with just the side bar or
just the top bidding.
Now you can see here is a side bar only.
And then here, here's a full key.
It's actually a blank key with just the side milling on it.
Now you can pick these locks.
Can anybody in the audience pick a Primus lock?
Has anybody done it before?
One guy in the back.
Well, I salute you.
You're much more skilled than I am.
We cannot pick Primus locks.
I have one friend who can do it.
He's very good at it.
But we have to resort to more primitive methods.
Now, so what we're going to do is we're going to not look at keyless entry.
We're going to look at key duplication attacks.
So this is basically using information that you gather somehow about the key and producing
a working key to the lock.
There's a lot of things in place to restrict this.
For instance, the way you actually get these keys from Schlage is you have to send them
your proof that you are who you say you are and that you are entitled to get these keys.
And what they will send you.
They will send you a blank key.
This key is blank in the sense that it doesn't have any top bidding on it, but it does have
a side bar.
Schlage claims that they are the only ones who can produce this side bar.
And they go through great extents and charge you a lot of money to get side bars.
And so in order to attack this lock, we go through four steps.
First we need to figure out how exactly this side milling works and how it actuates the
parts in the lock.
We're then going to create a 3D model of the Primus lock.
key, which is, of course, the first step in any good manufacturing process. Then we're
going to look at several different ways of fabricating keys, both additive and subtractive
processes, and the implications of this for Primus and high security locks and pretty
much mechanical locks everywhere. All right. So we'll start out with reverse
engineering the Primus. And we're calling it reverse engineering, but there is nothing
difficult about this. There's no great amount of intelligence required. So start out with
the Primus key. You don't know anything else about the lock. What does it say on it? Primus,
do not duplicate. Actually, we may have to end a little early now, so thank you all for
coming. But then the third line of the key is quite interesting. It's a U.S. patent
number. Now, I'm guessing Schlage thinks that the patent makes the key more secure, that
they can use it to pursue illegal action against anyone that is so foolish.
But actually, U.S. patent filings are public. So you look it up, and you get this is one
of about 20 pages of technical drawings and documents explaining exactly how it works.
So you can see that on this key, there are the usual six cuts on the top of the key.
There are five additional cuts on the side of the key. And there's this second independent
mechanism in the side of the lock, which is active.
Actuated by those five cuts on the side. And we'll take a closer look at that soon.
So you read through this patent, and you get a basic idea of how it operates. But there's
a lot more information that's easily accessible. So suppose you do a Google search for Primus
service manual. Well, there you are. They have it up on their website. And if we look
inside there, there are some fantastic
technical drawings that they've provided to us. So here you can see how that side mechanism
is actuated. There's a L-shaped pin called a finger pin, which rides up and down in those
grooves on the side of the key. And that meshes into this side bar, very similar to
the side bar in the previous talk, if you were in here.
And when those finger pins are lined up properly with the side bar, as you can see in the drawings
at right, the side bar can retract and the cylinder can open. And if those finger pins
are not aligned correctly, they will block the side bar, and that will prevent the lock
from opening. So the finger pins have got to be lifted to the correct height and rotated
to the correct angle. They have two degrees of freedom. So let's take a look. Here is
a cutaway lock and a side bar. So you can see in there, the finger pins, you'll see
them moving.
And you can see they're going to be misaligned until the key is all the way in. And then
suddenly all five of them will be lined up. So can you maybe rotate it back and forth
a little just to get the right angle of light on them?
Can you see in there? They rotate until they're all lined up.
So they're all lined up when the key is all the way in and not in any other circumstance.
And if the wrong side bar is used, then of course they won't line up.
Do you want to show this one?
Not yet.
So that's basically it for the operation of this lock. If there are any missing details,
you can of course take one apart and look. But it turns out that the awesome folks at
LockWiki already did that.
Thank you, Datagram.
So all you have to do is look around for Schlage Primus photos. And you'll see that they're
all lined up. And you can see exactly how this side bar works. It's got little notches
in it. And there are bumps on the finger pins that fit into those notches exactly as long
as the bump is in the right spot.
So this is the lock. And Schlage believes that because of this side bar, it's quite
secure, resistant to duplication and manipulation attacks. And they're almost right.
So the next thing we're going to do is we're going to go ahead and take a look at this
3D modeling Primus keys. So that is now that you have an idea of how it works, figuring
out the exact dimensions that are needed in order to align those finger pins and the
pins on the top, as well as to make a key that will fit into the lock.
So we'll start out with the top cuts because that's the easy part. This is a page from
the service manual. This is backwards compatible with non-Primus Schlage locks. So none of
this is a secret at all. And this is all the information you need for the top of the
key.
The side of the key is a bit more interesting because all Schlage tells you is that there
are six positions for each cut. They can be left, center, or right, and high or low.
So what we did to figure out the dimensions for this, not using any special tools, we
just put some keys on a flatbed scanner, run them through at 1200 DPI, and extract
the parameters.
And we got nice results. Here they are. Now you know. And you can also see here a picture
from the service manual showing how those different positions actually map onto a key.
So this is the side bar that would be called 62426, deep right, deep left, deep center,
deep left, deep right.
And that's about it for the side bidding. There are a couple of other things we have
to take care of.
We have a minimum slope on the ramps leading down to each cut. Because these pins have
the freedom to rotate, that's got to be steep enough that they'll actually slide down to
the bottom of the cut. Otherwise the friction will keep it misaligned.
There's also a maximum slope there because if the ramp is too steep, the finger pins
will get hung up and the key won't be able to go in and out. So because there's this
rotating pin, you have to balance out these two pins. And you can see that there's a lot
to do with these two factors. And there's only a fairly narrow range of slopes that
work.
And finally, the bottom of that cut has just got to be radius to match the curvature of
a finger pin in the lock. So we went through and figured out those parameters as well.
And that's it for the dimensions you need for all of the control surfaces of the lock.
With this you can put all of the top pins in the right place, all of the finger pins
in the right place, and then it's open. Of course, the last piece is we do need a key
cross section that will fit in the lock. Now, conveniently, Schlage has this LP keyway
which fits in all of their standard Primus locks. And if we just remove a bit more material
from that, it fits in their restricted keyways as well. And we speculate that the reason
this is possible is that this side bar mechanism imposes such severe constraints on the key
in that the key has got to have this ‑‑ I'll show you ‑‑ where's the real one?
This one? Yeah. There's got to be a big hole in the side of the key so that the finger
pins can ride on those grooves. There's got to be a side bar. There's got to be material
here for the side cuts. There's very little flexibility to remove additional material
around the side bar. So in that respect, the side bar is actually making it less secure
than a regular lock where there could be very complicated wording blocking a key.
And once we have that key cross section, the last thing to do is to put all these
pieces together into a 3D model. And to do that, we used a really cool program called
OpenSCAD. Now, OpenSCAD is a programming language with a C‑like syntax that actually
compiles to 3D models. It was first used to model keys by a guy named Naref Patel. It
was in 2011. So we saw that and thought it was really cool and went ahead and implemented
the Primus key. It was only a few hundred lines of code. Not a lot of work considering
the purported security of this lock. Here's an example of what it looks like. This is
our top level function called key, which is taking the top code and side code as arguments
and it's calling out to a bunch of different functions that are going to draw the top of
the key and the side of the key and subtract out all of the bumps that need to be subtracted
out. And this is what you get. You call the
function key and you get a 3D model of a working Primus key.
And now, in order to make this useful, we'll tell you about a bunch of different methods
that you can use to easily and cheaply fabricate this.
Yeah, so 3D models are great for eye candy, but it's useless if you can't actually
make it. Now, back when we ‑‑ has anybody filed keys by hand, show of hands? You know,
it's not too hard. You just take a file, you work at it for a while. It takes, you
know, a steady hand, a pair of calipers and a little bit of your time. Now, we thought
that hand machining a Primus key would be impossible until one day our friend Rob sends
us an e‑mail with a key that he cut by hand opening a Primus lock. And we're like, wow,
how did you do this? Well, he used very complicated tools, actually. He used a Dremel, a pair
of calipers and a hardware store key blank. That's the only material cost. It was a, you
know, a stock Schlage blank. And he basically, you know, scribed onto the key with the calipers
all of the dimensions from our 3D model and then went at it with a Dremel for about an
hour and stuck it in the lock and it worked. And he's done this a few times now to the
point where you hand him the 11 numbers describing the key and in 45 minutes he'll hand you a
key that will open the lock. It's fantastic.
Now here's some photos of the process. You can see the stock Schlage key blank doesn't
fit in the process. You can see the key blank doesn't fit in the process. You can see the
primes key way because they add a few additional wards to prevent you from breaking the finger
pin mechanism. So you thin down the key a little using the Dremel. You can see the some
of the complicated tools we have in our key duplication lab such as calipers and the Dremel.
It also happens that our key duplication lab doubles as our kitchen table. So once the
key is thinned down enough to fit in the Primus key way, you can start cutting the
valleys for the finger pins to settle into. Here we've cut two of them. And you know,
you basically scribe on, like I said, scribe onto the key, although you can do that with
with the calipers. Dremel describes more measure, repeat, ad nauseum. Here's it with almost
all the cuts completed, just sort of polishing it up. And then we stick it in the lock and
it opens. And we have that to show you now. So here is the hardware store key blank. This
one I think was 25 cents because we got it online. Here is the result. I'm going to show
you. Can you get that? There's the part we dremeled out. Here's the stock blank from
the Schleich factory. You can see the bidding there. Compare that to ours. And let's put
it in the lock. Here's the stock key blank opening the lock. So that works fine. Here's
our key opening the lock.
. So that's it. You can dremel it.
So if you have had a couple too many cups of coffee and you don't have a steady enough
hand to dremel this, of course the next logical step is to try a C and C machine. This is
how the Schleich factory makes their keys. They put it in a high speed mill and they
mill out the side bar using computer numerical control. If you are interested in outsourcing
this job to a machine shop, if you want to try to produce a Primes key yourself, you'll
find the setup cost is enormous simply because you have to ‑‑ there's a lot of work
involved in fixturing the key and a lot of common milling machines don't have the spindle
speeds necessary to operate the small tool diameters you need.
And so a better tool than like a large, you know, neat style mill is probably a desktop
micro mill.
And these are slowly kind of like percolating through the market.
Keep an eye out for ones in the near future that will run you probably a thousand dollars
or a little less.
The one shown here is the other mill by other labs which, according to the specs, would
be capable of milling down a stock Schlage key blank into a Primes key.
This one's not out yet.
It's a funded kick starter project.
But the most exciting thing that we tried was 3D printing.
And that's sort of a new space because it's only recently that 3D printers have hit the
levels of precision necessary to open a high security project.
3D lock.
So we took that 3D model and just sent it to our favorite 3D printing websites, shapeways.com
and i.materialize.
We got keys back in three different materials here.
We tried two different plastic processes and titanium, which was pretty cool.
And well, it turns out that they all worked.
So we're going to show you that now.
So the first material we tried was the shapeways process called frosted ultra detail.
We thought we want to get as much precision as we can here.
And this is a stereo lithography process, UV cured.
It's very expensive.
There's a $5 set up cost and then it's going to run you $2 per key.
How much does it cost to get you regular keys duplicated at the hardware store?
$3?
.
And we found the precision was excellent on the key that came back.
We measured it.
It was great.
The issue with this material was that it's not that strong.
It was plenty strong to attack the side bar and turn the cylinder, but when it comes to
actually pulling back a latch or freeing the hasp on a rusty padlock, we'd be worried that
it would break off.
But there are a lot of things that don't require that, like figuring out whether you have the
correct key for a lock.
Or removing the cylinder from an interchangeable core system.
So let's take a look at this key here.
That's what it looks like.
We don't put the bumps between the cuts because they're useless and they just add friction.
There it is, going into a primus lock and it's open, real smooth.
.
So the next thing we tried was a different shape waste process.
This one is called a prime block.
called white strong and flexible and this is laser centered nylon. This one was actually
cheaper. It was only $3 total. The issue here was the precision. This is not a very high
resolution process but it turns out it's enough and when we got the key back it's a little
less smooth going into the lock. Sometimes you have to give it a jiggle but it works
and it was strong enough to operate most locks because it's a more elastic material. We can
take a look at that. See if you can see the side bar. There is a side bar. It's just hiding.
It's a little bit harder to insert into the lock but once it's in it opens fine and it's
quite strong. Oh, by the way, we brought an old failed attempt here. This was for a key
that didn't open anything but just to give you an idea of how brittle the first one was.
That's it. So you don't want that happening in a lot of cases where you might be using
a plastic key. And then the third thing we tried sort of just to geek out was this titanium
process which sounded amazing. We're going to deposit titanium powder and fuse it together
with a laser. And that turned out awesome. The downside is that it ran us $150 for one
key. But you want to show us?
Let me show that. It is an amazing looking thing. We measured it and it was more precise
than my calipers so I can't actually tell you how good it is but it's certainly within
the specs.
It's better than the Schlage factory most likely.
Yeah. So here it is. We can go into the lock and no problem. And this stuff is super strong.
Here it is. 3D printing three different ways. I suspect there are many more ways that you
could get this. A lot of these outfits are just starting to do lost wax casting where
they actually have 3D printers that print in wax and then maybe they'll even give you
a key out of brass. So we have no reason to suspect that any of these other processes
wouldn't work just as well.
And we also expect to see these prices drop quite soon because the two laser sintered
processes which is the white one and titanium are both currently covered by patents so there's
a royalty fee that's part of each of these costs and those patents expire in 2014.
And historically speaking when the FDM patents expired those prices went down, I don't know,
25, 30%.
And we started seeing things like MakerBot.
So it's going to be exciting. Maybe we'll even get down to a $1 or $2.
So finally let's take a look at what this means.
So first for Primus locks, key decoding is easy.
We know all of these dimensions now.
All you're going to need is a key or else a picture of a key or else a good look at
a key if you've got a sense of how deep those cuts are.
But it's not going to be hard, especially if you're decoding that side bar which is
the high security part.
Because there's only six of them.
Six possibilities for each cut and they look quite different.
And of course that means that key duplication is going to be easy because once you've decoded
your key you're going to need the open SCAD code that we're releasing and a few dollars
to send off to Shapeways and that's it.
You've got your copy of the key.
Probably even easier than going to the hardware store because you can do it from home.
So one thing that this means is that master key extrapolation is easy.
There's a standard attack that can be executed on regular pin tumbler locks in which you
start with your known change key and a couple of key blanks and you can use them to test
out one pin at a time to find where the master cut is.
Well in a master system the side bar is the same on every key because that's just built
into the key blanks.
And now that we have the ability to produce blanks with that side bar you can execute
the same attack.
And this is effectively just a simple way to execute the master cut.
It's just a regular pin tumbler lock.
Have you guys seen the Matt blaze paper on that?
Show of hands.
Yeah.
It's a great paper.
Google Matt blaze key or writes amplification in master keyed systems.
But keyless manipulation is still hard.
These things are still a real pain to pick.
And so we're just looking at starting with some source of the information contained
in a key.
Although note that that's not going to be too hard to come by.
There's been other work in decoding keys from photos.
There's a team at Berkeley I believe with a project called sneaky which may have been
at one of these conferences a few years ago.
They successfully decoded a regular pin tumbler key from a guy sitting at a table in the street
from the roof of a four story building across the street with a telephoto lens.
So if you see anyone walking around with their keys hanging from their belt you could probably
get a copy of one of those.
All right.
So we're going to have to recommend.
You probably don't want to use a Primus lock for high security stuff.
If you're using Primus locks already, definitely consider what it means if anyone at all can
go duplicate a key.
It's not new that you could duplicate a key.
You could get a machinist to do this before.
But what's new is now anyone can do it.
There's no barrier in terms of knowledge needed, no cost barrier, anyone who feels
like it.
But the interesting thing is this methodology is not really specific to Primus locks.
There's no specific weakness in the Primus that we're exploiting here.
Any physical lock with a physical key can be modeled and printed.
So it's an industry wide problem that's probably going to start cropping up now because 3D printing
is really just starting to have these precisions.
Okay.
So what's the next step?
So the next step is to get the key duplicate.
So the key duplication will be much more accessible.
It will be sort of like the scene right now for pirating movies.
It still takes one person who can go and decrypt the Blu-ray disc or go take the video camera
into a theater.
But as soon as they've done it, the entire Internet can download the movie.
So now it's going to take one person to go ahead and model a key and the entire world
can go and download and print them off.
So I think we'll find those people to make the models.
Okay.
And so physical security is going to start depending on information security.
We're breaking into physical systems here by writing code for a key.
I think that's pretty cool.
And patent protection, I think that's going to become a lot less of a useful buzz word
for the lock companies because they can use the patents to threaten legal action against
people who are making physical reproductions of their patented key design.
I don't think they'll be able to go after people.
People who are merely releasing 3D models of the keys because that's effectively the
same information that's contained in the patent filing.
So they could go after each individual person that is known to have printed one of these
keys.
But I don't think they'll be able to do anything to stop the distribution of these models even
on a patented key system.
Though we're not lawyers.
We're not lawyers.
You should probably talk to Mark Tobias.
We picked Primus here because its patents expired in 2007 and lawyers can make your
day suck.
Even if you didn't do anything.
Here are some other keys that have been 3D printed.
This is a space that's really just starting to develop and this is all recent work.
But you can 3D print a car key.
This is for a Mini Cooper.
Of course this does nothing about the chip in the key.
So this fellow had to keep the real key nearby to drive the car.
But it works for the physical section.
Disk detainer key used commonly in bike locks and some other stuff.
People have 3D printed handcuff keys.
And the field is wide open.
Anything that's just a physical lock, you can model it, put that model up on thingiverse
or wherever it is, we'll be distributing key models and people can print it out.
So we have some audience projects here that would be really cool if someone else wanted
to do.
We would like to see 3D models of other keys here in open SCAD.
Because it's not that hard.
especially Medeco, which a lot of people think is the highest
security of the high security locks. If you've ever looked at
Mark Tobias' book about Medeco, he's actually published most of
the dimensions that you'll need already. Probably could crank out
a model of that in a day if you wanted. It would be neat to
integrate these 3D models with existing image to key decoding
software to make that process fully automatic and especially
for regular residential keys. That should be fairly
straightforward. Maybe there's a market for an Android app,
iPhone app, take a picture of your key, get a new key in the
mail. And it would be neat to have a place to go to exchange
these 3D models. The pirate bay for keys. And here's some food
for thought. If you're from the New York area, you may have
heard about the 3D model. You may have heard about the
3D model a few months ago. A lot of people got sort of upset
because a retired locksmith was selling this set of five keys on
eBay. The New York Post published the story, called them the
master keys to New York. These are keys that are used by law
enforcement personnel, fire departments in New York City and
they operate things like the fire overrides and elevators and
the keys to electrical circuit breaker boxes and other cool
things.
And people were starting to get sort of upset that a single set of
these keys had leaked out. But what's going to happen when someone
makes the 3D models for these keys? These have got to be in
hundreds of different buildings. There is no way to change these
locks. And the interesting thing is this picture here published by
the New York Post has probably got enough resolution that you could
go ahead and do it right now.
.
And also one of the major voting machine manufacturers uses the
same key on all of their voting machines and I believe they at one
point put a picture of this key on their website. On their online
storefront. But even if not, I mean how long will it be until a single
one of those keys leaks out there? Someone models it, a dollar, two
dollars, you can buy a voting machine key to play with. . . . . . . . .
So if 3D printing keeps picking up, we don't see how this isn't going
to be just a major, major change in the field of physical locks.
So I think that's about all we have here.
We have a couple of people to thank. Do you have a...
Yeah, sure. Of course, like I said, a lot of people worked on this,
but it would be silly to have all six of us up here. So I'd like to
thank Gabe, Vicky, and Brian for helping out with the decoding. Of
course, if you have any questions, feel free to reach out to them.
And of course, Rob, who couldn't be here. But also Vincent, who was the
person manufacturing the Dremel and the photos we showed. And of course,
Schlage as a company for publishing all their fantastic drawings.
And the MIT Locksport community for getting us interested in this in the
first place. Thank you very much.
